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WHAT IS CLAIMED IS: 

1. A system for maintaining security in a distributed computing 
environment, comprising: 

\a policy manager for managing a security policy; and 

^application guard for managing access to securable components 
sas specified by the security policy. 



2. The systemNrf claim 1, wherein said policy manager comprises a 
management station^for constructing and editing the security policy. 



The system of claim \ wherein $aid p^d^i^jnajiager further 
comprises a distributor for di^ributing^tfie security policy to a client. 




4. The system of claim 2, whereik said policy manager further 
comprises a distributor for distributing^ customized local policy based 
on the security policy to a client. 



5. The system of claim 4, wherein said policy\manager 
comprises a logger for recording and tracking authc 
occur through the application guard. 



further 
tion events that 



35 



QV The system of claim 4, wherein the policy manager further 
comprises a database management system for maintaining the security 
policy\ 

7. The system of claim 4, wherein the customized local policy is 

8. The system ofsclaim 1, wherein^said securable components are 
selected from the grouWonsistingtof: at least one application, a function 
within an application, a pt^cedure^^iij^i^application, a data 
structure within an application, a database object referenced by an 
application, or a file system object referenced by an application. 

9. The system of claim 1, whereiiv^aid system is scalable by further 
comprising a plurality of clients, said policy manager further managing 
and distributing a customized local policy to each client, and at least one 
additional application guard located on each 6Hent for managing access 
to the securable components as specified by eack customized local 
policy. \ 
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10\ The system of claim 1, wherein said application guard includes an 
application guard interface coupled to an application for requesting 
access torhe securable components, and at least one authorization 
engine for evaluating requests from the application guard interface as 
specified by a customized local policy based on the security policy. 

11. The system of claim 10, wherein said application guard interface is 
located on a client, and sfcud at least one'amjhorization engine and said 
customized local policy are located on a client server. 

12. The system of claim 1, wherein the security policy is defined by a 
policy language to grant or deny access to the securable components for 
a particular user. \ 

13. The system of claim 1 further comprising a policy loader for bulk 
loading the security policy onto the system. \ 

14. The system of claim 1, wherein said policy manager includes a set 
of menu options to manage and distribute the security poKcy. 
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1 15. ^"The^ystem of claim 14, wherein £aid set of menu options include: 

2 navigate tree, analyze^oUcy^edit fcojicjkdistribute policy, and view audit 

3 log. 



$ 16. The system of claim I, wheifein 

2 allows for additional customized* 

3 authorization requests based'on 



code 



tie 



the application guard further 
to process and evaluate 
additional customized code. 



17. The system of claim 1, wherein the policy manager further includes 
a poticy manager application guard for managing access to the policy 
manager as specified by a local administrative policy. 
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18. A system ifpr controlling user ^rece^s in a distributed computing 
environment, comprising: 

a global policy spedifoing acdes& privileges of the user to securable 
components; 

a policy manager located on^a server for managing and distributing 
a local client policy based \n the global policy to a client, and 
an application guard located on the chent for managing access to 
the securable components as specified by the local client 
policy. 
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The system of claim 18 further comprising at least one additional 
client, said policy manager further managing and distributing a 
customized local policy based oh the global policy to each additional 
client, and at least one additional application guard located on each 
additional client for managing access to the securable components as 
specified by thk customized local policy. 



20. The system ons^aim 18, wherein^aid policy manager comprises 

a management station for constructing and editing the global 
policy; and 

a distributor for distributing the local policy to the client. 



2 1 . The system of claim 20, wherein said policy manager further 
comprises a database management system for mamtaining the global 
policy. 



22. The system of claim 18, wherein said policy manager further 
comprises a logger for recording and tracking authorization events that 
occur through the application guard. 
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23^ The system of claim 18, wherein said securable components are 
selected from the group consisting of: at least one application, a function 
within an application, a procedure within an application, a data 
structure within an application, a database object referenced by an. 
application, ora file system object referenced by an application. 



m 

in 

tn 3 



fU 



1 

2 



24. The system of blaim 18, wherein the global policy is defined by a 
policy language to grant\or deny access tojthe securable components for 
a particular user. • 




1 25. The system of claim 18, wherein said system is scalable by further 

2 comprising a plurality of clients, saio\policy manager further managing 
and distributing a customized local policy to each client, and at least one 
additional application guard located on each client for managing access 
to the securable components as specified by e\ch customized local 
policy. 



1 26. The system of claim 18, wherein said applicatiori\guard includes 

2 an application guard interface coupled to an application fW requesting 
access to the securable components, and at least one authorization 
engine for evaluating requests from the application guard interface as 
specified by the local client policy. 
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1 27. Th^system of claim 18 further o<5rnprising a policy bulk loader for 

onto the sjljBtem. 



1 28. The system of claim 18, wherein the loc 



policy is optimized. 
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*/ 29. The system of claim 18, whipein the application guard further 
allows for additional customized code to process and evaluate 
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authorization requests based on 



he additional customized code. 



iO. The system of claim 18, wherein the policy manager further 
includes a policy manager application guard for managing access to the 



3 policy manager as specified by a local administrative policy. 



1 31 . A system for authorization thaft provides access to securable 

2 components for a user>xomprising: / 

3 a policy specifying access privileges of the user to the securable 

4 components; 

5 an application guard; and 

6 a processor coupled to said system^aid processor executing said 

7 application guard to manage accesXto the securable 

8 components. 



41 



t 



1 \ 32. The system of claim 3 1 further including an audit log for recording 

2 a^nd tracking each authorization event that occurs though the application 

3 gU£ 



1 33. The\system of claim 31, wherein said securable components are 

2 selected from the group consisting of: at least one application, a function 
within an application, a procedure within an application, a data 
structure within sui application, a database object referenced by an 
application, or a fileVsystem object referenced by an application. 



1 34. The system of claim\31, wherein 

2 an application guard interface connec 




pplication guard comprises 
^application for managing 



access to the securable components in said application. 



35. The system of claim 31, whereik the application guard further, 
allows for additional customized code tc^process and evaluate 
authorization requests based on the additional customized code. 

36. The system of claim 31, wherein said application guard includes 
an application guard interface coupled to an application for requesting 
access to the securable components, and at least one Authorization 
engine for evaluating requests from the application guard^interface as 
specified by a customized local policy based on the policy. 
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3%. The system of claim 36, wherein said application guard interface is 
located on a client, and said at least one authorization engine and said 
customized local policy are located on a client server. 



38. A systenisfor managing security in a distributed computing 
environment, comprising: ' 
a policy manager; and 
a processor coupled to said syste 
policy manager to manag< 
policy based on a global 



d processor executing said 
istribute a customized local 
client. 




39. The system of claim 38, whereik said policy manager comprises a 
management station for constructing anV editing the global policy. 

40. The system of claim 39, wherein said policy manager further 
comprises a distributor for distributing the customized local policy to the 
client. 



41. The system of claim 38, wherein said policy managekfurther 
comprises a logger for recording and tracking authorization e\ents that 
are received from the client. 
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1 43. The system of claim 38, wherein said global policy specifies access 

2 privileges of at least one user to securable components. 

1 43. The system of claim 38, wherein the policy manager comprises a 

2 database management system for maintaining the global policy. 



1 44. The system ofxlaim 38, wherein the global policy is defined by a 

2 policy language to gran^ or deny access tp^securable components for a 

3 particular user. 




1 45. The system of claim 38, wherein said policy manager includes a set 

2 of menu options to manage and distribute the customized local policy. 



1 46. The system of claim 38, wherein the^ustomized local policy is 

2 optimized. 



1 47. The system of claim 38, wherein the policy mahager further 

2 includes a policy manager application guard for managmg access to the 

3 policy manager as specified by a local administrative policy 
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48\ A method for maintaining security in a distributed computing 
environment, comprising the steps of: 

managing a policy using a policy manager by specifying access 

privileges of a user to securable components; and 
distributing the policy to a client having an application guard, 
whereby the application guard manages access to the 
securable components as specified by the policy. 




1 49. The method of claim 48, further mcludirigjthe step of recording 

2 authorization events that occur through the application guard after 
distributing the policy. 



are 



1 50. The method of claim 48, wherein the securable components 

2 selected from the group consisting of: at least oneWlication, a function 
within an application, a procedure within an application, a data 
structure within an application, a database object referenced by an 
application, or a file system object referenced by an application. 
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51\ A method for maintaining security on a client in a distributed 
competing environment, comprising the steps of: 

conducting and issuing an authorization request for a user to 
access to securable components located on the client using 
an application guard; 
evaluating the a\rthorization requesfTising the application guard to 



uest is valid or invalid; and 
icatipiTguard if the 



determine if the authoriza 
allowing access to the u\er via t 

evaluated authorization request was valid, and denying 
access to the user via the\pplication guard if the 
authorization request was invalKi. 

52. The method of claim 5 1 , after evaluating the afcitiiorization request, 
further including the step of recording the authorization\quest m an 
audit log. 
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5§. A computer-readable medium comprising program instructions for 
maintaining security in a distributed computing environment by 
performinWhe steps of: 

managingsa^policy using a policy m^nateer by specifying access 

privilegesvpf a user to securablefcomponents; 
distributing the polW using the(poUcy\managei>to a client having 
an application guard, whereby the application guard 
manages access to the securable components as specified by 
the policy; and X. 
executing said policy manager with a processor to manage and 
distribute the policy. \. 
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54v A computer-readable medium comprising program instructions for 
maintaining security on a client in a distributed computing environment 
by performing the steps of: 

constructing and issuing an authorization request for a user to 
access tossecurable cbmponents^pcated on the client using 
an applicatiohgguard; 
evaluating the authorization request using the application guard to 

determine if the autho^qzationrequest is valid or invalid; 
allowing access to the user via the application guard if the 

evaluated authorization request was valid, and denying 
access to the user via the application guard if the 
authorization request was invalid; and 
executing said application guard with a processoKto automatically 
maintain security on the client. 
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55>\A system for maintaining security in a distributed computing 
environment comprising: 

means forrnanaging a policy using a policy manager by specifying 

access privBejjes of a user to securaflble components; 
means for distributing tlie^policy us^ng t^ policymanager to a 
client having an application guard, whereby the application 
guard manages access to the seisurable components as 
specified by the policy; and 
means for executing the policy manager to manage^and distribute 
the policy. 
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56v A system for maintaining security on a client in a distributed 
computing environment, comprising: 

meahs for constructing and issuing an authorization request for a 
useiUo access to securable components located on the client 
using ah\application guard; 
means for evaluauhg the authorization request using the 

application guani\to determine ifihe authorization request is 
valid or invalid; \ V— ^ 
means for allowing access to tnk user via the application guard if 
the evaluated authorization request was valid, and denying 
access to the user via the application guard if the 
authorization request was invalid; ami 
means for executing said application guard to automatically 
maintain security on the client. \ 
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